1. Technical Field
The present invention relates in general to computer networks and more specifically to network ports utilized to provide access to resources on computer networks. Still more particularly, the present invention relates to a method and system for reserving ports for accessing computer network resources.
2. Description of the Related Art
Computer networks, their hardware configuration and the protocols by which the network connection and communications are managed are well known in the computer arts. One method utilized to harmonize the various types/implementations of computer networks is the assignment of specific port numbers for connecting a client system to a particular resource available on the network server.
A port number is a way to identify a specific process to which an Internet or other network message is to be forwarded when the message arrives at the server. Within the commonly utilized Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), a port number is a 16-bit integer that is included in the header appended to a data unit. This port number is passed logically between client and server transport layers and physically between the transport layer and the Internet Protocol (IP) layer.
When a first application on the client system initiates a communication with a second application at the server (i.e., the host computer), the first application specifies that specific second application in each data transmission by using the port number associated with that second application. When the first application initiates the connection, the application selects or “binds” to the TCP port number of the second application. Responsively, when the second application is started and listens for incoming connection requests, the second application also binds to a TCP port number that corresponds to the service being provided. The TCP port numbers essentially help to designate queues into which arriving data packets are placed for service by an application running on that system.
For example, when a client is requesting a file be served from the server via File Transfer Protocol (FTP), the Transmission Control Protocol (TCP) software layer in the client system identifies and sets the port number of 21 (which by convention is associated with an FTP request) in the 16-bit port number integer that is appended to the request. A system call referred to as a “bind” is then made to associate a local network address that includes the port number with a socket. At the server, the TCP layer reads the port number of 21 and automatically forwards the request to the FTP program on the server.
Some services or processes have conventionally assigned permanent port numbers. These are known as well known port numbers. In other cases, port numbers are assigned temporarily (for the duration of the request and its completion) from a range of assignable port numbers. These port numbers are called ephemeral port numbers.
The well-known port numbers are reserved for use by the application end points that communicate using the Internet's TCP or the UDP. Each kind of application has a designated (and thus “well-known”) port number. For example, a remote job entry application has the port number of 5; the Hypertext Transfer Protocol (HTTP) application has the port number of 80; and the Post Office Protocol Version 3 (POP3) application, commonly used for e-mail delivery, has the port number of 110. Other examples include mail having port number of 25, telnet having port number of 23, and file transfer protocol (FTP) having port numbers of 20, 21, etc.
When a request is made by a client system for a particular port number the port number is included in every request to that particular server. Typically multiple clients or applications are requesting access to a single port number simultaneously and are allocated the port number on a first-to-request basis. That is, the first client that requests access to the port number is typically allocated the resources of the port number. When programs in user space are created, the programs utilize pre-agreed port numbers. For example, a server program, typically begins with port number 4000, and when the server program is initiated, the program automatically builds control information and labels the port 4000.
Some applications are hard-coded to use specific port number(s). On most systems, a well-known port number can only be used by a system (root) process or by a program being run by a privileged user. Thus, client software is run to a specific port all the time. Thus the client accessing a particular service must connect to the specific port on the server. Alternatively, a manufacturer may pick a port number to assign to a server-client pair that is sold to a customer. The client and server then communicate exclusively via that port number.
There are typically competing resources for access to the ports. The port is allocated to users, groups, and/or processes on a first come first serve basis and once a port is accessed the port remains unavailable to another user/group/process until the first session is terminated (voluntarily or involuntarily) or is completed. When a competing resource requests access to the port, the other resource is prevented from accessing the port.
There is currently no method to reserve a port number for a specific user, group, or application. If an application is stopped or aborts, the port number is released and may bind to the same or another application. On large scale servers that serve multiple clients with competing requests for access to particular applications/ports, the port assigned to a first server program that is prematurely terminated may be re-assigned to a second server program before the first server program can be restarted. The first server program is thereby prevented from restarting and completing in a timely manner.
For example, if the application of the first server program has a problem, the port is released (session temporarily halted). At this point any other program is able to utilize the port although the first server program still needs the port. The first server program is thus forced to wait until the port is released from the second client. This method of allocating ports to competing resources on a first come first server basis is detrimental for “priority” applications that are processing-time-sensitive, are expensive and/or have a higher priority than other applications. Delaying subsequent access to the port by forcing the priority application of the first server program to wait until the port is again available is not ideal. The only alternative currently is for the administrator to find the process that is using the required port and killing the process before trying to restart the priority application.
One additional problem with current protocols that control port usage involves the utilization of privileged/reserved ports. Certain ports, known as “reserved ports” are configured to require privilege to bind to that port even though the application itself requires no additional privilege. There are certain services that are privileged and other services that only require access to the reserved port. These other services only require the specific privilege to connect to the reserved ports, and when that privilege is provided, the access to the privileged port opens the server to attacks by persons who should not have been provided such privileged access.
Each user/system/application with permission to access the reserved port is provided with a privilege. The person or entity with a particular privilege is provided un-restricted access to the port (i.e., privilege is given) and once access is allowed, the person or entity has complete/full access to the server system.
As stated above, some of the applications given the privilege do not really require a privilege because they only need to extend access to the port. When the enhanced privilege access is compromised, a greater compromise of the security features of the entire system occurs. Attacks on the system may occur once the user/program binds to the port.
In light of the foregoing limitations with current port allocation protocols/methods, the present invention recognizes that it would be desirable to provide a method and system for eliminating the port-availability wait-time inherent with current systems when specific priority applications/users request a bind to a particular port following a interruption/disconnection of a previous bind of the application/user. A method and system that allocates specific ports to specific priority applications/users to substantially eliminate resource contention for binding with the server application would be a welcomed improvement. It would further be desirable to provide a method and system that eliminates the security threats to server systems when privilege access is provided for connection to general applications that ultimately enables full access once the bind occurs on a privileged port. These and other benefits are provided by the invention described herein.